summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjvoisin2015-07-29 16:27:30 +0200
committerjvoisin2015-07-29 16:27:30 +0200
commitbee60884bc2a4738827accdf5e3c89e865b9f453 (patch)
treec701a230e4bdd5c8e4debae91fd3f5cef701866c
parentd44eb84ad1492f70555c20c49a7f39d8e5b9409f (diff)
Add some more rules
Diffstat
-rw-r--r--malwares.yara11
1 files changed, 5 insertions, 6 deletions
diff --git a/malwares.yara b/malwares.yara
index d2b8362..c3664f0 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -56,12 +56,11 @@ private rule CloudFlareBypass
56rule ObfuscatedPhp 56rule ObfuscatedPhp
57{ 57{
58 strings: 58 strings:
59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/ // ;eval( <- this is dodgy 59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/ 61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
64 $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
65 $strange_arg = /\${\$[0-9a-zA-z]+}/ 64 $strange_arg = /\${\$[0-9a-zA-z]+}/
66 condition: 65 condition:
67 any of them and not IsWhitelisted 66 any of them and not IsWhitelisted
@@ -74,6 +73,7 @@ private rule base64
74 $system = "c3lzdGVt" 73 $system = "c3lzdGVt"
75 $preg_replace = "cHJlZ19yZXBsYWNl" 74 $preg_replace = "cHJlZ19yZXBsYWNl"
76 $exec = "ZXhlYyg" 75 $exec = "ZXhlYyg"
76 $base64_decode = "YmFzZTY0X2RlY29kZ"
77 condition: 77 condition:
78 any of them 78 any of them
79} 79}
@@ -100,8 +100,7 @@ rule DodgyPhp
100{ 100{
101 strings: 101 strings:
102 $vars = /\$___+/ // $__ is rarely used in legitimate scripts 102 $vars = /\$___+/ // $__ is rarely used in legitimate scripts
103 $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ 103 $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
104 $double_encoding = /(base64_decode\s*\(\s*){2}/
105 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 104 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
106 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 105 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
107 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 106 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
@@ -150,7 +149,7 @@ rule DangerousPhp
150 $ = "call_user_func" fullword 149 $ = "call_user_func" fullword
151 $ = "register_shutdown_function" fullword 150 $ = "register_shutdown_function" fullword
152 $ = "register_tick_function" fullword 151 $ = "register_tick_function" fullword
153 $ = /ob_start\s*\(\s*['"]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); 152 $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
154 $ = "mb_ereg_replace_callback" fullword 153 $ = "mb_ereg_replace_callback" fullword
155 $ = "preg_replace_callback" fullword 154 $ = "preg_replace_callback" fullword
156 155